Teamviewer recently keeps trying to connect to websites I have visited
I am using Little Snitch firewall on my MacBook Pro to protect my computer and recently, it started popping up messages that Teamviewer is try to connect to website xyz. It appears tp either be going through my entire list of bookmarks or saved passwords (I hope not). This only appears to happen when I open the app from its minimized running state. My system configuration has not changed. Is anyone else experiencing this? Does anyone have any idea why Teamviewer suddenly needs to connect to every website I visit or bookmark? And, for the last question, does anyone have any ideas how to stop Teamviewer's unexpected behavior? Thank you for any insights or guidance that can be provided.
Best Answer
-
Thanks @HappyFeet, that screenshot was very helpful to reproduce this internally, as it narrowed it down to saved passwords. It seems that these connections are triggered when icons ("favicons") are missing for websites that have passwords saved in the Passwords app.
Retrieving these icons is not something TeamViewer does. As a matter of fact, it would not even be able to access the necessary information to do so. Rather, these connections are implicitly triggered through the password autofill functionality, and they are then (incorrectly) attributed to TeamViewer. You will probably see the same behavior with any other 3rd party app if you happen to be in a password field at the moment where the OS decides that it needs to retrieve these icons.
While it should not be necessary to block those connections, if you choose to do so, the only "negative" effect seems to be that icons are not to displayed for saved passwords. At a later point, those icons would probably be retrieved elsewhere, where those connections are permitted, e.g. in Safari.
0
Answers
-
@HappyFeet That does indeed sound quite unusual. Could you please send a screenshot of one of the popup alert you are seeing?
In the firewall's popup alert, please click the Info (i) button so it shows the detailed information about the process and the connection. Please copy & paste it, or include the entire text in a screenshot (you'll probably need to take two and scroll down in the second one so the entire text is shown). Please make sure to remove any personal information, in particular your username, before posting it here.
Could you please also send a screenshot of the firewall's connection monitor, with all TeamViewer-related sections in the left sidebar expanded?
Which version of macOS are you running?
What exactly do you mean by "when I open the app from its minimized running state"? Do you mean that TeamViewer is configured to start with macOS, and this happens when you click the TeamViewer icon in the Dock to open the main window for the first time? Or does it happen any time when you minimize and later restore the minimized main window from the Dock?
0 -
@MoreCoffee Thank you for the quick response. I am running Sequoia 15.2 on a 2020 Intel MacBook Pro with Bitdefender AV Plus, MalwareBytes and Little Snitch.
As I replayed the events that led up to this behavior, I recalled it wasn’t the restore of the minimized icon running that started with the laptop startup, but rather when I connected to my in-laws computer to help them which started by restoring the icon. As soon as I connected, Little Snitch prompted me to Allow/Not Allow ~30 URLs (all that I have visited over time and/or are in my Password app). I declined each one however, once I realized the list was getting pretty long, I let it timeout and then clicked Cancel All and closed the app. I then went into Little Snitch’s rules list and deleted all of the new rules under the Teamviewer section. When I reloaded the app and connected again, the same behavior began again. I repeated the above steps and added a couple AV/AM scans which yielded no findings. I then powered down/up the computer which appeared to stop the behavior.
Today, in order to respond to your email, I attempted to replicate the behavior so I could take some screenshots however, I couldn’t replicate the behavior. This leaves me a bit frustrated, stumped and concerned. Prior to the power cycle mentioned above, deep scans did not find anything… and still do not. I know I saw Little Snitch declaring "TeamViewer wants to connect to…” messages. Now it behaves as expected.
Any ideas where to go from here?
Thank you very much. Happy New Year!
0 -
@HappyFeet Thanks, and a Happy New Year to you too!
After seeing your post, I came across reports of similar behavior with a well-known desktop publishing app, so this does not seem to affect only TeamViewer.
It almost looks like there might be a bug in macOS that triggers bookmarks-related connections when 3rd party apps (which integrate web technologies) are opened, and those connections appear as if they are coming from that 3rd party app. My best guess right now is that it could be somehow related to Safari periodically updating icons for bookmarked websites.
We have reported this issue to Apple, and we are also trying to reproduce it internally.
0 -
@MoreCoffee Thank you for letting me know what you learned and for reporting the issue to Apple. On the one hand, I am glad to learn it doesn't appear to be TeamViewer and on the other, a bit concerned it may be a macOS bug.
Do you have any suggestions for me other than to deny any connection attempts that may arise in the future?
Please keep me posted with any news you may learn.
Many thanks for the outstanding support! Happy New Year!
0 -
@MoreCoffee The behavior occurred again today. I went to restore the TeamViewer icon so I could help my mom with her computer. When the TeamViewer screen restored, I was logged out (I never logged out). When I clicked on the field to begin entering my credentials, Little Snitch intercepted what appeared to be several attempts by TeamViewer to connect to multiple sites that are both in my browsing history and Password app (very disconcerting). I declined the requests. Attached is a screenshot of one of the outbound connection attempts. I hope these steps may assist in reproducing the issue internally.
0 -
Thanks @HappyFeet, that screenshot was very helpful to reproduce this internally, as it narrowed it down to saved passwords. It seems that these connections are triggered when icons ("favicons") are missing for websites that have passwords saved in the Passwords app.
Retrieving these icons is not something TeamViewer does. As a matter of fact, it would not even be able to access the necessary information to do so. Rather, these connections are implicitly triggered through the password autofill functionality, and they are then (incorrectly) attributed to TeamViewer. You will probably see the same behavior with any other 3rd party app if you happen to be in a password field at the moment where the OS decides that it needs to retrieve these icons.
While it should not be necessary to block those connections, if you choose to do so, the only "negative" effect seems to be that icons are not to displayed for saved passwords. At a later point, those icons would probably be retrieved elsewhere, where those connections are permitted, e.g. in Safari.
0 -
Thank you for the explanation regarding what you found. Greatly appreciate it.
0
